From 152c7f8eefeea6d69b0b72ca1bb2e8345f66acd9 Mon Sep 17 00:00:00 2001
From: Daniil Baturin <daniil@baturin.org>
Date: Sun, 18 Nov 2018 19:11:57 +0100
Subject: T573: add support for matching IPv6 hop limit.

Patch by Ray Patrick Soucy.
---
 lib/Vyatta/IpTables/Rule.pm                        | 29 ++++++++++++++++++++--
 .../node.tag/rule/node.tag/hop-limit/eq/node.def   |  5 ++++
 .../node.tag/rule/node.tag/hop-limit/gt/node.def   |  5 ++++
 .../node.tag/rule/node.tag/hop-limit/lt/node.def   |  5 ++++
 .../node.tag/rule/node.tag/hop-limit/node.def      |  1 +
 5 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/eq/node.def
 create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/gt/node.def
 create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/lt/node.def
 create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/node.def

diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm
index 08772a1..5172011 100755
--- a/lib/Vyatta/IpTables/Rule.pm
+++ b/lib/Vyatta/IpTables/Rule.pm
@@ -59,7 +59,12 @@ my %fields = (
     },
     _disable     => undef,
     _ip_version  => undef,
-    _comment     => undef
+    _comment     => undef,
+    _hop_limit  => {
+        _eq      => undef,
+        _lt      => undef,
+        _gt      => undef,
+    }
 );
 
 my %dummy_rule = (
@@ -112,7 +117,12 @@ my %dummy_rule = (
     },
     _disable     => undef,
     _ip_version  => undef,
-    _comment     => undef
+    _comment     => undef,
+    _hop_limit  => {
+        _eq      => undef,
+        _lt      => undef,
+        _gt      => undef,
+    }
 );
 
 my $DEBUG = 'false';
@@ -206,6 +216,10 @@ sub setup_base {
 
     $self->{_disable} = $config->$exists_func("disable");
 
+    $self->{_hop_limit}->{_eq} = $config->$val_func("hop-limit eq");
+    $self->{_hop_limit}->{_lt} = $config->$val_func("hop-limit lt");
+    $self->{_hop_limit}->{_gt} = $config->$val_func("hop-limit gt");
+
     # TODO: need $config->exists("$level source") in Vyatta::Config.pm
     $src->$addr_setup("$level source");
     $dst->$addr_setup("$level destination");
@@ -255,6 +269,7 @@ sub print {
     print "mod table: $self->{_mod_table}\n"     if defined $self->{_mod_table};
     print "mod dscp: $self->{_mod_dscp}\n"       if defined $self->{_mod_dscp};
     print "mod tcp-mss: $self->{_mod_tcpmss}\n"  if defined $self->{_mod_tcpmss};
+    print "hop-limit: $self->{_hop_limit}\n"     if defined $self->{_hop_limit};
 
     $src->print();
     $dst->print();
@@ -423,6 +438,16 @@ sub rule {
         }
     }
 
+    # Setup HL rule if configured
+    #
+    if ( defined($self->{_hop_limit}->{_eq}) ) {
+        $rule .= " -m hl --hl-eq $self->{_hop_limit}->{_eq}";
+    } elsif ( defined($self->{_hop_limit}->{_lt}) ) {
+        $rule .= " -m hl --hl-lt $self->{_hop_limit}->{_lt}";
+    } elsif ( defined($self->{_hop_limit}->{_gt}) ) {
+        $rule .= " -m hl --hl-gt $self->{_hop_limit}->{_gt}";
+    }
+
     # add the source and destination rules
     ($srcrule, $err_str) = $src->rule();
     return ($err_str,) if (!defined($srcrule));
diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/eq/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/eq/node.def
new file mode 100644
index 0000000..e4e6fef
--- /dev/null
+++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/eq/node.def
@@ -0,0 +1,5 @@
+type: u32
+help: Value to match a hop limit equal to it
+val_help: u32:0-255; Hop limit equal to value
+syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "eq must be between 0 and 255"
+commit:expression: ($VAR(../lt/) == "") && ($VAR(../gt/) == ""); "you may only define one comparison (eq|lt|gt)"
diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/gt/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/gt/node.def
new file mode 100644
index 0000000..b3f442c
--- /dev/null
+++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/gt/node.def
@@ -0,0 +1,5 @@
+type: u32
+help: Value to match a hop limit greater than or equal to it
+val_help: u32:0-255; Hop limit greater than value
+syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "gt must be between 0 and 255"
+commit:expression: ($VAR(../lt/) == "") && ($VAR(../eq/) == ""); "you may only define one comparison (eq|lt|gt)"
diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/lt/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/lt/node.def
new file mode 100644
index 0000000..c9b422d
--- /dev/null
+++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/lt/node.def
@@ -0,0 +1,5 @@
+type: u32
+help: Value to match a hop limit less than or equal to it
+val_help: u32:0-255; Hop limit less than value
+syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "lt must be between 0 and 255"
+commit:expression: ($VAR(../eq/) == "") && ($VAR(../gt/) == ""); "you may only define one comparison (eq|lt|gt)"
diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/node.def
new file mode 100644
index 0000000..968f94b
--- /dev/null
+++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/node.def
@@ -0,0 +1 @@
+help: Hop Limit
-- 
cgit v1.2.3